修改内核路径

hc

2024-05-14 bedbef8ad3e75a304af6361af235302bcc61d06b

 kernel/include/linux/capability.h
..
..
@@ -14,7 +14,7 @@
14
14
 #define _LINUX_CAPABILITY_H
15
15
 
16
16
 #include <uapi/linux/capability.h>
17
-
17
+#include <linux/uidgid.h>
18
18
 
19
19
 #define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3
20
20
 #define _KERNEL_CAPABILITY_U32S    _LINUX_CAPABILITY_U32S_3
..
..
@@ -25,11 +25,12 @@
25
25
 	__u32 cap[_KERNEL_CAPABILITY_U32S];
26
26
 } kernel_cap_t;
27
27
 
28
-/* exact same as vfs_cap_data but in cpu endian and always filled completely */
28
+/* same as vfs_ns_cap_data but in cpu endian and always filled completely */
29
29
 struct cpu_vfs_cap_data {
30
30
 	__u32 magic_etc;
31
31
 	kernel_cap_t permitted;
32
32
 	kernel_cap_t inheritable;
33
+	kuid_t rootid;
33
34
 };
34
35
 
35
36
 #define _USER_CAP_HEADER_SIZE  (sizeof(struct __user_cap_header_struct))
..
..
@@ -209,6 +210,7 @@
209
210
 extern bool capable(int cap);
210
211
 extern bool ns_capable(struct user_namespace *ns, int cap);
211
212
 extern bool ns_capable_noaudit(struct user_namespace *ns, int cap);
213
+extern bool ns_capable_setid(struct user_namespace *ns, int cap);
212
214
 #else
213
215
 static inline bool has_capability(struct task_struct *t, int cap)
214
216
 {
..
..
@@ -240,11 +242,30 @@
240
242
 {
241
243
 	return true;
242
244
 }
245
+static inline bool ns_capable_setid(struct user_namespace *ns, int cap)
246
+{
247
+	return true;
248
+}
243
249
 #endif /* CONFIG_MULTIUSER */
244
250
 extern bool privileged_wrt_inode_uidgid(struct user_namespace *ns, const struct inode *inode);
245
251
 extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
246
252
 extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
247
253
 extern bool ptracer_capable(struct task_struct *tsk, struct user_namespace *ns);
254
+static inline bool perfmon_capable(void)
255
+{
256
+	return capable(CAP_PERFMON) || capable(CAP_SYS_ADMIN);
257
+}
258
+
259
+static inline bool bpf_capable(void)
260
+{
261
+	return capable(CAP_BPF) || capable(CAP_SYS_ADMIN);
262
+}
263
+
264
+static inline bool checkpoint_restore_ns_capable(struct user_namespace *ns)
265
+{
266
+	return ns_capable(ns, CAP_CHECKPOINT_RESTORE) ||
267
+		ns_capable(ns, CAP_SYS_ADMIN);
268
+}
248
269
 
249
270
 /* audit system wants to get cap info from files as well */
250
271
 extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);